Re: FreeBSD Security Advisory FreeBSD-SA-06:11.ipsec
- From: Pawel Jakub Dawidek <pjd@xxxxxxxxxxx>
- Date: Thu, 23 Mar 2006 12:28:44 +0100
On Thu, Mar 23, 2006 at 11:03:10AM +0200, Dmitry Pryanishnikov wrote:
+>
+> Hello!
+>
+> On Wed, 22 Mar 2006, FreeBSD Security Advisories wrote:
+> >II. Problem Description
+> >
+> >IPsec provides an anti-replay service which when enabled prevents an attacker
+> >from successfully executing a replay attack. This is done through the
+> >verification of sequence numbers. A programming error in the fast_ipsec(4)
+> >implementation results in the sequence number associated with a Security
+> >Association not being updated, allowing packets to unconditionally pass
+> >sequence number verification checks.
+> >
+> >III. Impact
+> >
+> >An attacker able to to intercept IPSec packets can replay them. If higher
+> >level protocols which do not provide any protection against packet replays
+> >(e.g., UDP) are used, this may have a variety of effects.
+>
+> As far as I understood, only systems which use "options FAST_IPSEC" are affected by this issue. Is it true? If so, wouldn't be wise to stress this
+> fact in the advisory?
Yes, only FAST_IPSEC and only ESP (AH is ok).
--
Pawel Jakub Dawidek http://www.wheel.pl
pjd@xxxxxxxxxxx http://www.FreeBSD.org
FreeBSD committer Am I Evil? Yes, I Am!
Attachment:
pgpSylx325Rct.pgp
Description: PGP signature
- References:
- Re: FreeBSD Security Advisory FreeBSD-SA-06:11.ipsec
- From: Dmitry Pryanishnikov
- Re: FreeBSD Security Advisory FreeBSD-SA-06:11.ipsec
- Prev by Date: Re: FreeBSD Security Advisory FreeBSD-SA-06:11.ipsec
- Next by Date: Re: FreeBSD Security Advisory FreeBSD-SA-06:13.sendmail
- Previous by thread: Re: FreeBSD Security Advisory FreeBSD-SA-06:11.ipsec
- Next by thread: FreeBSD Security Advisory FreeBSD-SA-06:12.opie
- Index(es):
Relevant Pages
|
|
